As I understand it, the hosts on different subnets cannot communicate with each other unless there is a router somewhere on both subnets that forwards traffic between them.

I have have two subnets on a network, say: 192.168.0.0/24 and 192.168.1.0/24. I want to creating a firewalled route between them, using a linux box connected to both subnets. The firewall would be implemented in iptables.

All hosts connected to the network will be trusted, and users would not have admin rights to alter their networking configuration (i.e. to just connect on the other subnet).

Assuming everything I said above isn't complete nonsense, what are the possible ways in which a user connected to one subnet, could bypass the firewall and gain access the other subnet?

Obvious ones that occur to me are simply connecting an untrusted host.

To clarify:
What I'm attempting to to is create a custom firewall solution (not off the shelf). It is to be integrated into an existing solution, which already runs on a linux box, so that side of things is fixed.

The firewall would allow the definition of zones, based on either physical NICs or VLANs.

It seems to me, that physical LAN based zones are susceptible only to someone physically connecting to the network that they are not supposed to. Encryption aside, that comes down to physical security at that point. Assuming you've not misconfigured a switch somewhere to expose an endpoint carrying dot1Q traffic, or to allow a VLAN hopping attack, the VLAN based zones are essentially the same.

The root of my question is whether or not subnet based zones (running on the same physical hardware) can be added to the list of things that can be feasibly firewalled. This would rely of course upon the all the connected hosts being "trusted", and all the users (to which the firewall applies at least) not having administrative rights to mess with network settings.

2 Answers
2

First, if you've got devices running on two different subnets on the same logical/physical LAN, then you are going to have essentially zero security on that LAN between subnets. While you ~think~ the devices will be unable to access anything, you cannot be sure you won't have a rogue device. Because of this, I'm going to straight-up assume that this is not the case. Following that, it's fairly easy to set up a Linux Box with IPTables as a router. It's fairly detailed in the configuration of the linux box and some of the specifics may depend on exactly which distro you are running, but the basic box is two NICs, one plugged into each network, followed by some software that will do routing (Easy to find, even included in some distros) followed by your IPtables configuration. Plug NIC1 into 192.168.0.0/24 and NIC2 into 192.168.1.0/24 and you have a bridge between the two subnets for traffic that needs to travel between them.

Here's that second part: It would be far simpler for you to purchase (even a used) router from a reputable manufacturer than it would be for you to assemble and configure this linux box to do the same task. Most real routers are capable of doing ACLs, which is really about what IPtables would be doing for most of the config, and some routers are capable of doing Zone-based Firewalls with packet inspection. A used Cisco 1841 would not set you back much, and would be about as "legit" as the Linux RouterWall combo you're asking about. A little bit of google-fu and you can probably find enough Cisco CLI commands to straighten you out fairly quickly and get that box up and doing what you need it to do within less than twenty minutes. I'm not against anyone ever doing something the "hard way" just for the fun of it...but unless that's your goal, it seems to me like you're trying really hard to fix a problem with an answer that's more complicated than the problem itself.

Please see my clarification above. I agree with you that you can't guarantee that you don't have a rouge device, but then you similarly can't guarantee that in the other two scenarios (physical/VLAN) I've outlined. It comes down again to physical security. The only difference I can see is that the physical security is harder to enforce, your physical LANs can be in physically separate locations, you can put your VLAN switches in locked cupboards, making them just as secure. It simply easier (physically) to connect an untrusted host to a cable you've already got in your hands.
–
Jamie CockburnFeb 7 '14 at 9:49

Without VLANs (Two subnets, same Logical LAN) a host can simply change it's IP address and be on the other subnet. With VLANs, this not the case. More importantly, VLANing creates unique broadcast networks as well, preventing devices from capturing (and thus replying, replicating, or spoofing) broadcast traffic from hosts. Remember that traffic inside a subnet is not ROUTED, but is SWITCHED (Caps simply to ensure clarity, as the terms are specific). With multiple subnets on the same logical lan (Which a non-vlan'd physical network would be) the traffic would never hit the firewall.
–
George SpicelandFeb 15 '14 at 0:35

If the firewall is connected to two unique logical LANs (Either through VLANs or physical separation) then your "subnet zones" idea works, but it's because the separate logical LANs constitute the unique Zones in the firewall's ZBF configuration, regardless of subnet.
–
George SpicelandFeb 15 '14 at 0:37

I can't speak for Linux, but I have a simpler question, what are you trying to accomplish here? (I am going to aimlessly guess and see if I might get close, but you should clarify in your question.)

It seems like you are trying to connect two subnets and allow traffic. Ok fine, but if the subnets are physically separate, you can't just use the other subnet if the routing interface doesn't exist on that subnet. Meaning even if you change your IP to 192.168.0.223 on the 192.168.1.x subnet, it won't be able to route to your gateway (Linux box) because it is simply on the wrong subnet.

Typically subnets are physically or logically separated. Either because they are on different hardware or done using VLANs or some other logical segregation. Meaning even if you have an IP from one subnet, it won't work on another because the devices used to route traffic off that subnet aren't p

As far as "trusted" hosts go, anyone that can plug something into your network would be untrusted, but unless you are authenticating the client (IPsec/Certificate/etc) it is possible to change the MAC and IP address on just about any network adapter. So you can't just "trust" them in that fashion. Since I don't know what you needs are, I can't really comment on that. There are methods that are available on switching hardware like 802.1X that might be what you are looking for.